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APPARATUS AND METHOD TO COMPUTE IN JACOBIAN OF HYPERELLIPTIC 
CURVE DEFINED OVER GALOIS FIELD OF CHARACTERISTIC 2 

DESCRIPTION 

1. Field of the Invention 

The present invention relates to an apparatus and a method 
for computing the sum of a divisor Di=g.c.d. 
( (ai(x) ) , (y-bi(x) ) ) and a divisor D 2 =g.c.d. ( (a 2 (x) ) , (y-b 2 (x) ) ) 
on Jacobian of a hyperelliptic curve y 2 +y=f(x) defined over 
GF(2 n ) . 

2. Background of the Invention 

This application discloses an algorithm' suited for performing 
operation on hardware on Jacobian of a hyperelliptic curve 
defined over GF(2 n ) . The following explains prerequisite 
knowledge required to understand the present invention. 
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[1] Hyperelliptic Curve and Divisor 

There is a field referred to as K, and its algebraically 
closed field is referred to as K~ (K with a bar on it). A 
hyperelliptic curve C of genus g over K is defined by an 



polynomial of a degree g at most, and f(x) is a monic 
polynomial of degree 2g+l. Here, polynomial f and g have 
coefficients in K and curve C have no singular points. Also, 
when rational point P={x,y) is given, its opposite point is 
defined as P~~= (x, -y-h (x) ) (P~~ is P with a bar on it). If P 

is infinite-point P«, it shall be P^Paf" (Pcf~ is Poo with a bar 
on it) . Hereafter, this application assumes a case of field 
K=GF(2 n ), h(x)=l. 

A divisor D of C is a finite formal sum of K~-points Pi...P r 
and given by 
[Expression 1] 

The degree of divisor D is defined by deg D=Smi. 



equation of the form: 



y 2 +h(x)y=f (x) . 



Here, h(x) is a 
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[Expression 2] 
[Expression 3] 

By defining the sum of divisors of C as 
[Expression 4] 

D(C), a set of the entire divisors of C forms an additive 
group which is called a divisor group. The entire divisors 
of degree 0 from a subgroup which is denoted D°(C). The non 
zero rational function h of curve C has a finite number of 
zeros and poles, div(h) which is a divisor of h is defined by 
using zeros and poles of h in 
[Expression 5] 

Here, Pi is a zero of rational function h, itu is its 
multiplicity, Qi is a pole of rational function h, rii is 
multiplicity of poles, and ord^i (h) is an order of rational 
function h at point Pi. A divisor of a non zero rational 
function is called a principal divisor. A set of entire 
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principal divisors is called a principal divisor group which 
is denoted D 1 (C) . 

In general, since the number of zeros and the number of poles 
of a rational function are equal if considered including 
multiplicity (order), it is D' (C) c D°(C) . When two divisors 
Di (Expression 1), D 2 (Expression 2) e D°(C) are given, g.c.d. 
<Di,D 2 ) of two divisors is defined by 

Smin (mi, ni) Pi- (Smin (m if ni) Poo) . Also, from the expression, it 
is apparently g.c.d. (Di, D 2 ) c: D° (C) . 

[2] Definition of Jacobian 

Jacobian is defined to be the quotient group D°(C)/D t (C) about 
a group (see "Number Theory 2" by Yoshihiko Yamamoto, Iwanami 
Shoten (1996)). This is denoted as J(C) . If Di,D 2 eD°(C) and 
Di-D 2 €D ! (C), Di, D 2 are called linearly equivalent. VDeD°(C) 
can be transformed to divisor Di (itu ^ 0) which satisfy the 
following conditions. 
[Expression 6] 
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(1) Di ^ D 

(2) If Pi appears in Di, then the point Pi"~ doesn't appear as 
one of Pj ( . 

(3) When Pi=Pi~, nu-1 at most. 

Such a divisor is called a semi-reduced. An element of a 
Jacobian is uniquely represented by such a semi-reduced 
divisor subject to the additional condition that 
[Expression 7] 

Such a divisor is called a reduced divisor. 

Any semi-reduced divisor D can be uniquely represented by 
D=g.c.d. ( (a(x) ) , (y-b(x) ) ) . Here, a (x) =rii (x-xi) mi andb(x) is 
the unique polynomial of degree < deg (a) satisfying b(Xi)=yi. 
A necessary and sufficient condition for D to be a reduced 

divisor is deg a^g. Hereafter, g.c.d. ( (a (x) ) , (y-b (x) ) ) is 
denoted as div(a,b) following "Computing in the Jacobian of a 
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Hyperelliptic Curve," D. G. Cantor, Math. Of Comp, 48, 



regarded as a pair of polynomials a and b hereafter. 

The discrete logarithm problem on J(C;GF(2 n )) is the problem 

of determining an integer m such that Di=mD 2 for Di,D 2 g 
J(C;GF(2 n ) ) . 

[3] Security Conditions of Jacobian 

The conditions which Jacobian J(C;GF(2 n ) ) must satisfy in 
order to construct a secure hyperelliptic curve cryptosystem 



are as follows according to "Construction and Implementation 
of a Secure Hyperelliptic Curve CryptoSystem, " Yasuyuki 
Sakai, Yuichi Ishizuka and Kouichi Sakurai, SCIS ' 98-10 . 1 . B, 
Jan,, 1998, etc. 



CI #J(C;GF(2 n )) is divisible by a large prime number. 

C2 (2 n ) k ^l, k< (log2 2 ) 2 is indivisible by the largest prime 
factor of #J(C;GF(2 n ) ) .. 

C3 2g+l < log2 n 



No. 177, 



pp. 95-101, (1987) . 



In addition, divisor D is 
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[4] Algorithm for computing in Jacobian 

Addition in Jacobian is, for Di,D 2 € J(C;GF(2 n )), to find a 
reduced divisor D f which is a linearly equivalent to Di+D 2 . 
According to the aforementioned article of Cantor and, 
"Hyperelliptic Curve Cryptosystems, " N. Koblitz, Journal of 
Cryptology, 1, pp. 139-150, (1989), an algorithm for addition 
consists of two procedures. In this procedure 1, for input 
Di=div(ai,bi) and D 2 =div(a 2 , b 2 ) , semi-reduced divisor D is 
found, such that Di+D 2 D (D=div (a, b) ) . In procedure 2, with 
this D as input, reduced, divisor D 1 is found, such that 

D' (D'=div(a' , b' ) , deg b ! < deg a', deg a 1 £ g) . These 
procedures are as follows, if the hyperelliptic curve is 
y 2 +h (x) y=f (x) . 

Procedure 1 

Input ai, bi Di = div(ai, bi) 
a 2 , b 2 D 2 = div(a 2 , b 2 ) 
Output a, b 

(1) Si(x), s 2 (x), s 3 (x) which satisfy d=Siai+s 2 a 2 +s 3 (bi+b 2 +h) are 
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calculated where a greatest common divisor (GCD) of 

polynomials ai(x), a 2 (x), bi (x) +b 2 (x) +h (x) is d=d(x) . 

(2) a(x), b(x) are calculated based on the following 

expression . 

a = aia 2 /d 2 

b = (Siaib2+s 2 a2bi+s 3 (bib 2 +f ) ) /d mod a 

Procedure 2 
Input a, b 

Output a 1 , b 1 D to D' 

(1) a 1 (x) and b 1 (x) are calculated based on the following 
expression . 

a 1 = (f-hbHo 2 )/a 
b' = (-h-b) mod a' 

(2) if (deg a 1 > g) then 

a - a 1 
b = b f 
goto (1) 
else end 
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In particular, procedure 1 can be simplified as follows in 
the case of doubling. 

Procedure 1 
a = ai 2 

b - (bi 2 +f) mod a 
goto procedure 2 (1) 

If it is calculated as is with the above algorithm, there is 
a drawback that operation of a polynomial with a degree 2g 
becomes necessary leading to increased computation 
complexity. 



An object of the present invention is to implement 
computation in Jacobian with less computation complexity. 

Another object of the present invention is to make it 



SUMMARY OF THE INVENTION 
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possible to implement computation in Jacobian with a smaller 
hardware size* 

As described in the article quoted above, Koblitz proposed a 
cryptosystem using the discrete logarithm problem on Jacobian 
of a hyperelliptic curve of which genus is larger than 1. 
However, it has been shown by Frey that Koblitz' s 
hyperelliptic Cryptosystem using g=2 curve isn't secure, 
(see M A Remark Concerning m-Divisibility and the Discrete 
Logarithm in the Divisor Class Group of Curves," G. Frey, H. 
G. Ruck, Math. Of Comp, 62, No. 206, pp. 865-874, (1994)). As 
to a curve of which genus is 3 or more, several curves which, 
seem to be secure have been found (see "Construction and 
Implementation of a Secure Hyperelliptic Curve 
Cryptosystems, " Yasuyuki Sakai, Yuichi Ishizuka and Kouichi 
Sakurai, SCIS ' 98-10 . 1 .B, Jan., 1998; "A Hyperelliptic Curve 
Where Jacobian Becomes Almost Prime on a Finite Field of a 
Small Characteristic," Izuru Kitamura, SCIS' 98-7.1. A, Jan., 
1998; and "Public Key Cryptosystems with Cab Curve (1)," S. 
Arita, IE ICE ISEC97-54 pp. 13-23 (1997), etc.). 
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In general, calculations in GF(2 n ) are suited for hardware 
implementation for the following reasons, (1) Addition and 
multiplication can be performed at high speed on a relatively 
small-scale piece of hardware. (2) Square operation can be 
easily performed. (3) Inverse can be operated at high speed 
by a method proposed by Ito-Tsujii ("A Fast Algorithm for 
Computing Multiplicative Inverse in GF(2m) Using Normal 
Bases," T. Itoh, S. Tsujii, Inform, and Comput., vol.83, 
No.l, pp. 171-177, (1989)). Moreover, a hyperelliptic curve 
cryptosystem is more suited to hardware implementation than 
an elliptic curve cryptosystem because the ground field to be 
used can be smaller than that for an elliptic curve 
cryptosystem, and the above-mentioned calculation for 
acquiring a greatest common divisor of polynomial in Cantor's 
algorithm can be efficiently performed by having multiple 
multipliers run in parallel. Accordingly, in the present 
invention, the computational complexity and the hardware size 
are reduced by improving Cantor f s algorithm. 
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Therefore, it has the following characteristics. Namely, an 
apparatus for computing the sum of a divisor Di=g. c.d. 
( <ai(x) ) , (y-bi(x) ) ) and a divisor D 2 =g.c.d. ( (a 2 (x) ) , (y-b 2 (x) ) ) 
on Jacobian of a hyperelliptic curve y 2 +y=f(x) defined over 
GF(2 n ) (g.c.d. is defined in above) comprises: means for 
storing ai(x), a 2 (x), bi(x) and b 2 (x); and. means for 
calculating q(x) ={si (x) (bi (x) +b 2 (x) ) } mod a 2 (x) by using Si(x) 
in si(x)ai(x)+s 2 (x)a 2 (x)=l in case of GCD (ai (x) , a 2 (x) ) =1 where 
GCD denotes a greatest common divisor of polynomials. Thus, 
a new function q(x) is introduced so as to reduce the entire 
computational complexity and the hardware size. While 
examples where a hyperelliptic curve is y 2 +y=x 7 are described 
in detail in the embodiments, this q(x) can be effectively 
used even in the case that it is other hyperelliptic curves. 
Moreover, since the group operation is commutative, the same 
sum can be acquired by using q(x) obtained by exchanging ai, 
bi and si for a 2 , b 2 and s 2 - Hereafter, it may be explained by 
using only one of the pair in order to avoid complication, 
yet it has the same meaning if exchanged, 
q (x) = { Si (x) (bi (x) +b 2 (x) ) } mod a 2 (x) can be replaced by 
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q(x)={s 2 (x) (bi(x)+b 2 (x) ) } mod ai(x). 

Moreover, in the case of Di=D 2 , means for storing ai(x) and 
bi(x); and means for calculating q (x) =Q (bi 2 (x) +f (x) mod 
ai 2 (x) ,ai (x) ) where Q (A, B) is a quotient of A/B are provided. 
Thus, a separate q(x) is defined. 

An apparatus for calculating a f (x) and b f (x) of a reduced 
divisor D'^g.c.d. ( (a 1 (x) ) , (y-b f (x) ) ) which is a linearly 
equivalent to Di+D 2 for a divisor Di=g..c.d. (ai (x) , y-bi (x) ) and 
a divisor D 2 =g.c.d. ( (a 2 (x) ) , (y-b 2 (x) ) ) on Jacobian of a 
hyperelliptic curve y 2 +y=f(x) defined over GF(2 n ) comprises: 
means for calculating q (x) =si (x) (bi (x) +b 2 (x) ) mod a 2 (x) by 
using Si(x) in Si (x) ai (x) +s 2 (x) a 2 (x)=l in case of 
GCD (ai (x) , a 2 (x) ) =1 where GCD denotes a greatest common divisor 
of polynomials; means for calculating 
a(x)=Q(q 2 (x)ai(x) ,a 2 (x) )+Q(f (x) , ai(x)a 4 (x) ) 

(or <x(x)=Q(q 2 (x)a 2 (x) , ai (x) )+Q(f (x) , a 1 (x)a 2 (x))) which is 
rendered a monic polynomial where Q(A r B) is a quotient of 

A/B; means for calculating p (x) = (q(x) ai (x) +b 4 (x) +1 ) mod a(x) 
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(or P(x) = (q(x)a 2 (x) +b 2 (x) +1) mod <x(x)); means for calculating 
a 1 (x)=Q(f (x)+p 2 (x) ,<x(x) ) ; and means for calculating 
b ? (x) = (P(x)+l) mod a f (x) . 

On the other hand, in the case of Di=D 2 , it comprises: means 
for calculating q (x) =Q (bi 2 (x) + f (x) mod ai 2 (x) , ai (x) ) where 
Q (A, B) is a quotient of A/B; means for calculating 
<x(x) =q 2 (x) +Q (f (x) , ai 2 (x) ) which is rendered a monic 
polynomial; means for calculating p (x) = (bi 2 (x) +f (x) mod 
ai 2 (x)+l) mod a(x); means for calculating 

a f (x)=Q(f (x)+p 2 (x) ,ot(x) ) ; and means for calculating 
b' (x)=(p(x)+l) mod a 1 (x) . 

While the above is an organization on the precondition of 
rendering as hardware, it is also possible to transform them 
to be implemented by a computer program, etc. In that case, 
the program will be stored on storage media such as a floppy 
disk and a CD-ROM and other storage devices. 

BRIEF DESCRIPTION OF THE DRAWINGS 
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Fig. 1 is a block diagram of the entire present invention. 

Fig. 2 is a diagram showing the initial state of register 
group 1 in implementing the algorithm of the present 
invention (ordinary addition) . 

Fig. 3 is a diagram showing the state of Ureg storing the 

result in process of q (x) =Si (bi+b 2 ) mod a 2 . 

Fig. 4 is a diagram showing the state of Ureg storing the 

result in process of q(x) =si (bi+b 2 ) mod a 2 . 

Fig. 5 is a diagram showing the state of Ureg storing the 

result in process of q (x) =s a (bi+b 2 ) mod a 2 . 

Fig. 6 is a diagram showing the state of Zreg storing the 
final result of q(x) . 

Fig. 7 is a diagram showing the state of Ureg storing the 
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result in process of a 4 (x) =Q (q 2 ai, a 2 ) +x+c 2 +e 2 . 

Fig. 8 is a diagram showing the state of Ureg storing the 
result in process of a 4 (x) =Q (q 2 ai, a 2 ) +x+c 2 +e 2 . 



Fig. 9 is a diagram showing the state of Ureg storing the 
result in process of a 4 (x) -Q (q 2 ai, a 2 ) +x+c 2 +e 2 . 



Fig. 10 is a diagram showing the state of Ureg storing the 
result in process of a 4 (x) =Q (q 2 ai, a 2 ) +x+c 2 +e 2 . 



Fig. 11 is a diagram showing the state of Ureg storing the 
result in process of a 4 (x) =Q (q 2 ai, a 2 ) +x+c 2 +e 2 . 

Fig. 12 is a diagram showing the state of Ureg storing the 
result in process of a 4 (x) =Q (q 2 ai, a 2 ) +x+c 2 +e 2 - 



Fig. 13 is a diagram showing the state of Xreg storing the 
final result of a 4 (x) rendered monic. 
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Fig. 14 is a diagram showing the state of Ureg storing the 
result in process of b 4 (x) = (qai+bi+1 ) mod a 4 . 



Fig. 15 is a diagram showing the state of Ureg storing the 
result in process of b 4 (x) = (qai+bi+1 ) mod a 4 . 



Fig. 16 is a diagram showing the state of Ureg storing the 
result in process of b 4 (x) = (qai+bi+1 ) mod a 4 .. 



Fig. 17 is a diagram showing the state of Ureg storing the 
result in process of b 4 (x) = (qai+bi+1 ) mod a 4 . 



Fig. 18 is a diagram showing the state of Ureg storing the 
result in process of b 4 (x) = (qai+bi+1 ) mod a 4 . 

Fig. 19 is a diagram showing the state of Yreg and Zreg 
storing the final result of b 4 (x). 



Fig. 20 is a diagram showing the state of Ureg storing the 
result in process of a 5 (x) =Q (x 7 +b 4 2 , a 4 ) . 
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Fig, 21 is a diagram showing the state of Ureg storing the 
result in process of a 5 (x) =Q (x 7 +b 4 2 , a 4 ) . 

Fig. 22 is a diagram showing the state of Ureg storing the 
result in process of a 5 (x) =Q (x 7 +b 4 2 , a 4 ) - 

Fig. 23 is a diagram showing the state of Ureg storing the 
result in process of a 5 (x) =Q (x 7 +b 4 2 , a 4 ) . 

Fig. 24 is a diagram showing the state of Xreg storing the 
final result of a&(x). 

Fig. 25 is a diagram showing the state of Ureg storing the 
result in process of b 5 (x) = (b 4 +l ) mod a 5 (x). 

Fig. 26 is a diagram showing the state of Zreg storing the 
final result of b 5 (x) . 

Fig. 27 is* a diagram showing the state of Ureg storing the 
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result in process of q (x) =Q (b 3 , ai) . 

Fig- 28 is a diagram showing the state of Ureg storing the 
result in process of q (x) =Q (b 3 , ai) . 

Fig. 2 9 is a diagram showing the state of Ureg storing the 
final result of q(x). 

Fig. 30 is a diagram showing the state of Xreg storing 
a 4 (x) =q 2 (x) +x rendered monic. 

Fig. 31 is a diagram showing the state of Ureg storing the 
result in process of b4={b 3 +l) mod a 4 . 

Fig. 32 is a diagram showing the state of Ureg storing the 
result in process of b 4 = : (b3+l) mod a 4 . 

Fig. 33 is a diagram showing the state of Yreg and Zreg 
storing the final result of b 4 . 
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Fig. 34 is a flowchart showing the algorithm of the present 
invention. 

Fig. 35 is a diagram showing configuration of an ordinary 
computer. 

DESCRIPTION OF THE PREFERRED EMBODIMENTS 

First, the basic algorithm of the present invention is 
explained. 

Meanwhile, in performing an addition, a greatest common 
divisor of polynomials ai and a 2 must be acquired. However, 
when a ground field is large and ai and a 2 are the coordinates 
of two randomly selected elements of the Jacobian, the case 
GCD(ai,a 2 )=l is extremely likely.. Therefore, this application. 

deal with the only case of GCD(ai,a 2 )=l hereafter, since 
processing in the case that ai and a 2 have no common divisor 
does not greatly affect performance. In addition, the 
greatest common divisor of polynomial GCD(ai,a 2 )=l is 
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represented by polynomials si and s 2 as 
Si (x) ai (x) +s 2 (x) a 2 (x) =1 . Moreover, even in calculating in the 
case that they have no common divisor, generalized lemmas 1 
and 2 for simplifying procedure 1 which is explained later 
and function Q(u,v) for simplifying procedure 2 can be used. 

Moreover, Euclid's algorithm is usually used for operation of 
procedure 1 (1) of the background art, namely to acquire 
polynomials Si, s 2 and a greatest common divisor of 
polynomials. Euclid's algorithm is used for calculating an 
error-location polynomial or an error-evaluation polynomial, 
in decoding of Reed-Solomon code, etc. and it is frequently 
implemented. For instance, see Japanese Unexamined Patent 
Publication No. Hei 7-202718 or Japanese Unexamined Patent 
Publication No. Sho 62-122332. Accordingly, in the present 
invention, the process for seeking only the greatest common 
divisor of polynomials d of the two polynomials and si (or s 2 ) 
which meets d=Siai+s 2 a 2 is handled as already calculated. It 
can also be calculated by using the following example of 
implementation (Fig. 1), for instance. Explanation of the 



21 



# # 

JA998-232 

details of actual operation is omitted, but si(x) is output 
on Yreg. Also, Si(x) is normalized so that the common 
divisor of polynomials d equals 1. 

In the case that ai and a 2 have no common divisor, an 
algorithm for the operation in Jacobian (background art) can 
be transformed for procedure 1 (2) and thereafter as follows.. 

Transformation 1 (a case of a normal addition) 

Input ai, a 2 , bi, b 2 
Output a', b 1 

as(x) = aia 2 

b 3 (x) = (siaib 2 +s 2 a 2 bi) mod a 3 
a 4 {x) = (f+b 3 +b 3 2 ) /a 3 

a 4 (x) rendered monic (render the leading coefficient 1) 
b 4 (x) = (b 3 +l) mod a 4 (x) 
while (deg a 4 (x) > g) { 

a' = a 5 (x) = (f+b 4 +b 4 (x) 2 )/a 4 (x) 
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b f = b 5 (x) = (b 4 +l) mod a 5 (x) 



a 4 (x) = a 1 



b 4 (x) 



- b' 



}end 



f(x)=x 7 is used for this algorithm. In procedure 2 (1) for 
an algorithm of the. operation, the orders of a and b are 
reduced by 2 and thereafter the orders are reduced by 2 (or 
1), which shows that a f of degree 3 or less is acquired by 
executing the content of the while loop once. The polynomial 
operated for remainder in calculation of b 3 is an expression 
of degree 7, the dividend polynomial for calculation of a 4 (x) 
is an expression of degree 10, thus requiring plenty of 
calculation. To reduce it,- a new polynomial q (x) =Si (bi+b 2 ) 
mod a2 is introduced. 

Lemma 1 

The first a 4 (x) in transformation 1 is given by using q(x) in 
a 4 (x)=Q(q 2 ai,a 2 ) . Here, Q(u,v) is a function which provides a 
quotient of u/v. 
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(Proof) 

First, we show b 3 (x)=qai+bi. Note that above-mentioned 

assumption, Siai+s 2 a 2 =l • And deg aia 2 > deg bi, b 3 (x) is 
calculated as follows. 
b 3 (x) = (Siaib2+s 2 a 2 bi) mod a 3 

= (Siaib 2 + (l+siajbi) mod aia 2 

= (Siai (bi+b 2 ) ) mod aia 2 +bi 

O 

H = {(s 1 (bi+b 2 )) mod a 2 } ai+bi 
u = qa!+bi (#) 

r — 

s Next, since a division to calculate a 4 is divisible, and it 

V.ST 

p is Q (b 3 ,a 3 ) = 0 from deg b 3 <deg a 3 , 

Z a 4 (x) = Q(f+b 3 +b 3 2 ,a 3 ) 

lai = Q(f,a 3 )+Q(b 3 2 ,a 3 ) . 

If {#) is substituted into the second term, and note Q(bi 2 ,a 3 ) 

= 0 from deg bi 2 <deg a 3 , 

Q(b 3 2 ,a 3 ) = Q(q 2 ai 2 +bi 2 ,a 3 ) = Q(q 2 ai 2 ,a 3 ) 

From this, a«(x) = Q (q 2 ai, a 2 ) +Q (f , a 3 ) Q.E.D. 
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If input polynomials are defined as 

ai(x) = x 3 +c 2 x 2 +cix+c 0 
a 2 (x) = x 3 +e 2 x 2 +eix+e 0 
bi(x) = d 2 x 2 +dix4-d 0 

b 2 (x) = f 2 X 2 + f!X+f 0/ 

and f(x)=x 7 is used, the second term of a 4 becomes 
Q (x 7 , a 3 ) =x+c 2 +e 2 . From this, if transformation 1 is rewritten 
by using q(x), it becomes the following algorithm of the 
present invention . 

Algorithm of the present invention (addition) 
Input ai, a 2 , bi, b 2 
Output a 1 , b' 

q(x) = Si(bi+b 2 ) mod a 2 

a 4 (x) = Q(q 2 ai / a 0 )+x+c 2 +e 2 

a 4 (x) «-a 4 (x) /leading coefficient of a 4 (x)(Monic) 
b 4 (x) = (qai+bi+1) mod a 4 
If (deg a 4 > 3) then 



a 1 = a 5 (x) = Q(x 7 +b 4 2 ,a 4 ) 
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b T = b 5 (x) = <b 4 +l) mod a 5 
else a' = a 4 , b 1 = b 4 
end 

In the calculation of a 5 (x), Q(b 4 ,a 4 )=0 is used because of deg 

b 4 < deg a 4 . In this algorithm, a 3 (x) of degree 10 has 
disappeared, and it is no longer necessary to calculate 
remainder polynomial and division by it. Also, 
multiplication necessary for calculating a 4 (x) is 9 times 
only, since the degree of q 2 ai inside Q is seventh and the 
ground field has characteristic 2. In addition, b 4 (x) which 
is not necessary for calculation of a 5 (x) is eliminated from 
inside Q. Thus, it becomes possible to significantly reduce 
the number of calculation. 

Next, doubling arithmetic is considered. The following 
transformation 2 is acquired by transforming procedure 1 (2) 
of the background art as in the previous case. 
Transformation 2 
Input ai r bi 
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Output a', b' 
a 3 (x) = ai 2 

b 3 (x) = (bi 2 +f) mod a 3 
a 4 (x) = (f+b 3 +b 3 2 )/a 3 

a 4 (x)^-a 4 (x) /leading coefficient of a 4 (x) 
b 4 (x) = (b 3 +l) mod a 4 

while (deg a 4 > g) { 

a 1 - a 5 (x) - (f+b 4 +b 4 2 ) /a 4 

b' - bs(x) = (b 4 +l) mod a 5 

a 4 = a f , b 4 = b 1 

} 

end 

As in the case of additions, the degree of the dividend 
polynomial is tenth for calculation of a 4 (x) and requires 
plenty of calculation. To reduce it, q (x) =Q (b 3 , ai) is 
introduced. 
Lemma 2 

a 4 (x) in transformation 2 is given by using . q(x) in 
a 4 (x)=q 2 +Q(f ,a 3 ) . 



27 



JA998-232 



(Proof) 

Since it is Q (b 3 ,a 3 )=0 from deg b 3 < deg a 3 , 
a 4 (x)=Q(f f a 3 )+Q(b 3 2 ,a 3 ) 

Suppose b 3 =ri+Si/ai deg si < deg ai (riSi e k[x], k is a field 
of characteristic 2), then b 3 2 =ri 2 + Si 2 /ai 2 and the second term 
Q(b 3 2 f a 3 ) is Q(b 3 ,a 3 ) 2 . Therefore, a 4 (x) =q 2 +Q ( f , a 3 ) Q.E.D. 

If f(x)=x 7 is used as in the case of additions, it becomes 
Q(x 7 ,a 3 )=x since there is no odd^degree term in a 3 (x) =ai 2 (x) . 
From this, if algorithm 2 is rewritten by q(x), the following 
algorithm of the present invention (doubling arithmetic) is 
acquired. 

Algorithm of the present invention (doubling arithmetic) 
Input a a , bi 
Output a 1 , b' 

b 3 (x) - bi 2 +x(ai-x 3 ) 2 

q(x) - Q(b 3 ,ai) 

a 4 (x) = q 2 +Q(f,a 3 ) 
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a 4 (x)-*-a 4 (x) /leading coefficient of a 4 (x) 
b 4 (x) = (b 3 +l) mod a 4 

if (deg a 4 >g) then 

a 1 = a 5 (x) = Q(x 7 +b 4 2 ,a 4 ) 

b f = b 5 (x) = (b 4 +l) mod a 5 
else a 1 = a 4 , b' = b 4 
end 

Moreover, in the calculation of b 3 (x), it is used that it 
becomes bi 2 mod a 3 =bi 2 from x ? mod a 3 =x(x 3 ) 2 mod a 3 =x (ai* (ai-x 3 ) ) 2 

mod a 3 =x(ai^x 3 ) 2 mod a^x (ai^x 3 ) 2 , deg bi 2 < deg a 3 . Also, it is 
not necessary to store a calculation result of b 3 (x) . It is 
because a square can be implemented on a Galois field of 
characteristic 2 with small-scale hardware and it is more 
advantageous to have a squarer than a register in terms of 
size. In particular, it can be implemented just by bit shift 
when a normal base is used. When b 3 (x) is necessary, ai(x), 
bi(x) can be input on a squarer so that its output can be 
directly used. 
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As with ordinary additions, in this algorithm, a 3 (x) of 
degree 10 has disappeared, and it is no longer necessary to 
calculate remainder polynomial and division by it. Also, the 
degree of a 4 (x) is fourth and since ground field has 
characteristic 2, only squaring is necessary for calculating 
it and not multiplication. In addition, for calculation of 
a 5 (x), b 4 (x) which is not necessary is eliminated from inside 
Q. 

Meanwhile, lemmas 1 holds in cases other than h(x)=l. Also, 
Q(f,a 3 ) can easily be calculated noting that the degree of f 
is 2g+l, and the degree of a 3 is 2g.. 

In addition, a hyperelliptic curve may be other than y 2 -fy=x 7 
which is used above. For instance,, in the case of g=3, there 
are K=GF(2 61 ) f (x) =x 7 +x+l , K=GF(2 67 ) f(x)=x 7 +l, etc. If the 
portion of x 7 in the above algorithm is replaced by such 
f(x), it becomes effective to newly introduce q(x) . 

Fig. 1 shows an example of implementation of the above 
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algorithm. Register group 1 is connected with selector 1 (3) 
and selector 2 (9). Both selector 1 (3) and selector 2 (9) 
are connected with multipliers , squaring 5 and inverter 7. 
Selector 1 (3) is a selector for input to a register , and 
selector 2 (9) is a selector for input to multipliers, a 
squaring and an inverter. Moreover, selector 1 (3), selector 
2 (9), multipliers, squaring 5 and inverter 7 are controlled 
by controller 11 as to their operation (indicated by a broken 
line in Fig. 1). Register group 1 includes registers Ureg, 
Xreg, Yreg and- Zreg, used as a work area and for storing a 
result, and registers a ir a 2 , bi and b 2 for storing ai(x), 
a 2 (x), bi(x) and b 2 (x) respectively. Moreover, Ureg and Xreg 
have four locations while the remaining registers have three 
locations. Furthermore, although it is not illustrated,, 
adders are provided in multipliers, squaring 5, etc. and are 
operated if additions are instructed by controller 11. 
It is explained how the circuit in Fig. 1 operates in 
implementing algorithm of the present invention ( addition) . 
Fig. 2 shows the initial state of register group 1. As a 
prerequisite, Yreg is storing each coefficient of 



31 



JA998-232 



Si (X) =S 12 X 2 +SnX + Sio. 



Also, ai, a 2 , bi and b 2 are storing 



coefficients of ai(x), a 2 (x), bi(x) and b 2 (x) respectively. 
However, the coefficient of the third-order term which is the 
highest order is 1, so these do not need to be stored. 
Namely, ai is storing c 2 , ci and c 0 , a 2 is storing e 2 , ei and 
e 0 , bi is storing d 2 , di and do, and b 2 is storing f 2 , fi and 
fo. 

First, calculation for acquiring q (x) =Si (bi+b 2 ) mod a 2 is 
performed. Selector 2 (9) fetches necessary values from 
register group 1 to implement the following calculation and 
inputs them into multipliers and squaring 5. 
(1) p 4 = (Si 2 b f 2 ) [coefficient of x 4 ] 

P3 = (si 2 b* i+Snb f 2 ) [coefficient of x 3 ] 

p 2 = Si 2 b ? 0 [coefficient of x 2 ] 

Here, it is as follows. 
(bi+b 2 ) 

- (d 2 +f 2 )x 2 +(di+fi)x+(d 0 +fo) 
= b'^+b'ix+b'o 



32 




JA998-232 

Moreover, it is as follows* 

si(bi+b 2 ) 
= (s 12 b' 2 )x 4 
+ (Si 2 b f i+Siib , 2 )x 3 
+ ( Si 2 b 1 o+Snb 1 i+Siob 1 2 ) x 2 
^(Siib'o+Siob'ilx 
-fsiob'o 

Accordingly, the calculation of (1) is calculation of perfect 
coefficients of fourth-order and third-order terms and 
coefficients of a portion of a second-order term of Si(bi+b 2 ). 
These calculation results are stored in Ureg by selector 1 
(3) (Fig. 3: only Ureg is illustrated). Calculation such as 
(1) is performed because there is a prerequisite that only 
four of the multipliers and squaring operators 5 can be used 
at a time, whereas, since Ureg has four registers, it is also 
possible to calculate coefficients of the top four terms in 
(1) if the number of multipliers is not limited. Also, since 
remainder calculation of a 2 is performed, any term of 
Si(bi+b 2 ) below third-order which is the highest order of a 2 
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will remain as is. Accordingly, the result will be the same 
even if coefficients of second-order or lower terms are added 
after remainder calculation. 

Next, for p4X 4 +p 3 x 3 +p 2 x 2 , remainder calculation of 
a 2 (x) =x 3 +e2X 2 +eix4-e 0 a n <3 calculation of Siob'o^Po for a 
coefficient of a 0-th term of Si(bi+b 2 ) are performed. 
Accordingly, selector 2 (9) fetches necessary values and 
inputs them into multipliers and squaring operators 5. 
(2) (p4X 4 -fp 3 x 3 +p2X 2 ) mod a 2 
Siob'o [coefficient of x°] 

If (p4X 4 +p 3 x 3 +p 2 x 2 ) mod a 2 is described further in detail, it 

will be as follows. 

p f 3 = (P3+P4e 2 ) [coefficient of x 3 ] 

p'2 = (P2+P4ei) [coefficient of x 2 ] 

p f i = p 4 e 0 [coefficient of x] 

And, 

p'o = Siob'o [coefficient of x°] 



34 




JA998-232 

is also implemented. 

Selector 1 (3) stores these calculation results in Ureg (Fig. 
4: only Ureg is illustrated). Calculation such as (2) is 
performed because the number of multipliers and squaring 
operators 5 is four. 

Next, calculation of p l 3 x 3 +p l 2 x 2 +p l 1 x+p , o mod a 2 is performed. 
If these are described further in detail, it will be as 
follows, and selector 2 (9) fetches necessary values and 
inputs them into multipliers and squaring operators 5. 
(3) p" 2 = (p* 2+p M 3^2) [coefficient of x 2 ] 

p"i = (p T i+p ! 3ei) [coefficient of x 1 ] 

p"o = (p'o+pSeo) [coefficient of x°] 

Selector 1 (3) stores these calculation results in Ureg (Fig. 
5: only Ureg is illustrated) . 

Of si(bi+b 2 ) in the above calculation, 

(Sub ' i+Siob ' 2 ) x 2 + ( Sub ' o+s u b 1 1 ) x is not considered. 

Accordingly, to perform the following calculation, selector 2 
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(9) fetches necessary values and inputs them into multipliers 
and squaring operators 5. 
(4) p" 2 + (Snb'i+Siob'a) [coefficient of x 2 ] 
p"i + (Snb'o+Siob 1 1) [coefficient of x] 

By these calculations, q (x) =q 2 x 2 +qix+q 0 was acquired. 
Selector 1 (3) stores these calculation results in Zreg (Fig. 
6: only Zreg is illustrated) . 

Next, calculation of a 4 (x) =Q (q 2 ai, a 2 ) +x+c 2 +e 2 is implemented. 
For this, q 2 ai is calculated first. However, it is not 
necessary to calculate second-order or lower terms, since it 
is calculation of a quotient of a 2 . To perform the following 
calculation, selector 2 (9) fetches necessary values from 
register group 1 and inputs them into multipliers and 
squaring operators 5. 
(1) p 7 = q 2 2 [coefficient of x 7 ] 

Pe = q2 2 c 2 [coefficient of x 6 ] 

p 5 = q 2 2 Ci+qi 2 [coefficient of x 5 ] 

p 4 = qi 2 c 2 +q 2 2 c 0 [coefficient of x 4 ] 



36 



JA998-232 

Here, calculation of a third-order term of q 2 ai is not 
implemented since the number of multipliers and locations of 
Ureg are lacking. Selector 1 (3) stores these calculation 
results in Ureg (Fig. 7: only Ureg is illustrated). 

Moreover , q 2 ai is as follows. 
q 2 ai = 
q 2 2 x 7 + 
q 2 2 c 2 x 6 + 
(q 2 2 Ci+qi 2 )x 5 + 
(qi 2 c 2 -Kj 2 2 c 0 )x 4 + 
(qi 2 Ci+q 0 2 )x 3 + 
(qi 2 c 0 4-q 0 2 c 2 )x 2 + 
qo 2 CiX+q 0 2 c 0 

Along with calculation of (1), calculation of a inversion of 
q 2 2 is started. For this, selector 2 (9) inputs into inverter 
7 a result of q 2 2 calculated by multipliers and squaring 
operators 5. It is assumed: q~~=l/q 2 2 . 
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Next, calculation for acquiring a quotient by a 2 is 
performed. It is performed by carrying out remainder 
calculation by a 2 . Accordingly, to perform the following 
calculation, selector 2 (9) fetches necessary values from 
register group 1 and inputs them into multipliers and 
squaring operators 5. 
(2) p ? 6 = Pe+P7e 2 [coefficient of x 6 ] 

p ! 5 = Ps+p7ei [coefficient of x 5 ] 

P% = P4+P7e 0 [coefficient of x 4 ] 

p ? 3 = (qi 2 Ci+q 0 2 ) [coefficient of x 3 ] 

In calculating a quotient by a 2 , p?x 4 is a term first 
acquired, and p 7 has already been acquired and a 4 to be 
finally acquired will be rendered a monic polynomial, not 
requiring store in Ureg. Selector 1 (3) stores these 
calculation results in Ureg (Fig. 8: only Ureg is 
illustrated) . 

Furthermore, remainder calculation by a 2 is performed. 
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However, since a coefficient of a third-order term of a 4 
(before rendering monic) is also acquired in this 
calculation, it will be stored in Ureg together. 
Accordingly, to perform the following calculation, selector 2 
(9) fetches necessary values from register group 1 and inputs 
them into multipliers and squaring operators 5. 
(3) p" 5 = p f 5+p f 6e2 [coefficient of x 5 ] 

p" 4 = p f 4+p'6ei [coefficient of x 4 ] 

p n 3 = pS+p'eeo [coefficient of x 3 ] 

Moreover, a4 before rendering a monic polynomial is described 
as follows. 

a 4 (x) = a , 44X 4 +a , 4 3 x 3 +a l 42X 2 +a l 4ix+a , 4o 

Here, it is a' 4 3 = p'e [coefficient of a third-order term of 
a 4 ] . 

Selector 1 (3) fetches p' 6 from Ureg and stores it along with 
these calculation results in Ureg (Fig. 9: only Ureg is 
illustrated) . 

Remainder calculation by a 2 is further performed. However, 
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since a coefficient of a second-order term of a 4 (before 
rendering monic) is also acquired in this calculation, it 
will be stored in Ureg together. Accordingly, to perform the 
following calculation, selector 2 (9) fetches necessary 
values from register group 1 and inputs them into multipliers 
and squaring operators 5. 
(4) p 34 = p"4+p"5e 2 [coefficient of x 4 ] 
P33 = p"3+p fI 5ei [coefficient of x 3 ] 

Here, it is a ! 42 = P f 5 [coefficient of a second-order term of 
a 4 ] . 

Selector 1 (3) fetches p" 5 and a f 43 from Ureg and stores it 
along with these calculation results in Ureg (Fig. 10: only 
Ureg is illustrated) . 

Remainder calculation by a 2 is further performed. However, 
since a coefficient of a first-order term of a 4 (before 
rendering monic) is also acquired in this calculation, it 
will be stored in Ureg together • Additions of terms other 
than Q of a 4 are also performed. Accordingly, to perform the 
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following calculation, selector 2 (9) fetches necessary 
values from register group 1 and inputs them into multipliers 
and squaring operators 5, 

(5) p 43 = P33+P34e 2 [coefficient of x 3 ] 

a 1 41 = P34+1 [coefficient of a first-order term of a 4 ] 
Selector 1 (3) fetches a ! 42 and a f 4 3 from Ureg and stores them 
along with these calculation results in Ureg (Fig. 11: only 
Ureg is illustrated) . 

Next, to calculate a coefficient of a 0-th-order term of a 4 
(before rendering monic) and also to perform additions of 
terms other than Q of a 4 , selector 2 (9) fetches necessary 
values from register group 1 and inputs them into multipliers 
and squaring operators 5. 

(6) a 1 4 o = P43+c 2 +e 2 [constant term of a 4 ] 

Selector 1 (3) fetches a ! 42 , a f 43 and a f 4 i from Ureg and stores 
them along with these calculation results in Ureg (Fig. 12: 
only Ureg is illustrated) . Thus, the value of a 4 before 
rendering monic is acquired. 
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Next, a 4 is rendered a monic polynomial. a 4 is fourth-order 
and its coefficient is q2 2 . Accordingly, awaiting the end of 
the calculation explained above, each coefficient of Ureg is 
multiplied by q"~. Namely, to perform the following 
calculation, selector 2 (9) fetches necessary values from 
inverter 7 and register group 1 and inputs them into 
multipliers and squaring operators 5. 
(7) a' 43 q~ 

a , 42 q~ 

a 1 4iq~ 

a f 40 q~ 

Selector 1 (3) stores these calculation results in Xreg (Fig. 
13: only Xreg is illustrated). Thus, the value of a 4 
rendered a monic polynomial is acquired. 

Next, b 4 (x) = (qai+bi+1) mod a 4 is calculated. First, (qai+bi+1) 
is calculated in the following manner because of limitation 
of the number of Ureg's locations and the number of 
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multipliers. Moreover, since a 4 is an polynomial of degree 
4, the result will be the same even if third or lower terms 
of (qai+bi+1) are added after the remainder calculation. 
Selector 2 (9) fetches necessary values from register group 1 
and inputs them into multipliers and squaring operators 5. 
(8) ps = q2 [coefficient of x 5 ] 

p* = (q 2 c 2 +qi) [coefficient of x 4 ] 

P3 = (q2Ci+qiC 2 +qo) [coefficient of x 3 ] 

p 2 = (d 2 +q 2 c 0 ) [coefficient of x 2 ] 

Selector 1 (3) stores these calculation results in Ureg (Fig. 
14: only Ureg is illustrated). 

Moreover, 
qai+bi+1 = 
q 2 x 5 + 

(q 2 c 2 +qi)x 4 + 
(q 2 Ci+qiC 2 +q 0 )x 3 + 
(d 2 +q 2 c 0 +qiCi+q 0 c 2 )x 2 + 
(di+qiC 0 +qoCi)x + 
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do+qoCo+1 



And the remainder by a 4 is calculated. Moreover, since a 
term of x 1 appears by this remainder calculation, an 



calculation is performed if described in detail. For this, 
selector 2 (9) fetches necessary values from register group 1 
and inputs them into multipliers and squaring operators 5. 
(9) p f 4 = p 4 +p 5 a 43 [coefficient of x 4 ] 

p*3 = P3+P5a 4 2 [coefficient of x 3 ] 

p' 2 = p2+p5a 4 i [coefficient of x 2 ] 

p'i = Pi+Psa 40 +di [coefficient of x 1 ] 

Selector 1 (3) stores these calculation results in Ureg (Fig. 
15: only Ureg is illustrated) . 

Remainder calculation by a 4 is performed again. Moreover, 
since a coefficient of term of x° is calculated by this 
remainder calculation, an addition of d 0 +l is also performed. 
The following calculation is performed if described in 



additions of dix is also performed. 



The following 
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detail. For this, selector 2 (9) fetches necessary values 
from register group 1 and inputs them into multipliers and 
squaring operators 5. 

(10) p" 3 = p , 3 +p l 4 a 4 3 [coefficient of x 3 ] 
p f, 2 = p ? 2+p' 4 a 42 [coefficient of x 2 ] 
p"i = p f i+-p f 4 a 4i [coefficient of x 1 ] 
p" 0 = p'4a 4 o+d 0 +l [coefficient of x°] 

Selector 1 (3) stores these calculation results in Ureg (Fig. 
16: only Ureg is illustrated) . 

Next, in (qai+bi+1), the terms which do not influence the 
remainder calculation of a 4 and have not been added in (8) 
through (10) are added. The following calculation is 
performed if described in detail. Selector 2 (9) fetches 
necessary values from register group 1 and inputs them into 
multipliers and squaring operators 5. 

(11) p 32 = p n 2+Ciqi [coefficient of x 2 ] 
P31 = p"i+c 0 qi [coefficient of x 1 ] 

Selector 1 (3) stores these calculation results in Ureg (Fig. 
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17: only Ureg is illustrated). 

In (qai+bi+1), the terms which do not influence the remainder 
calculation of a 4 and have not been added in (8) through (11) 
are added. The following calculation is performed if 
described in detail. Selector 2 (9) fetches necessary values 
from register group 1 and inputs them into multipliers and 
squaring operators 5. 
(12) b 42 = p32+c 2 qo [coefficient of x 2 ] 

b 4 i = p3i+Ciq 0 [coefficient of x 1 ] 

b<io - p"o+c 0 qo [coefficient of x°] 

Selector 1 (3) stores these calculation results in Ureg (Fig. 
18: only Ureg is illustrated). 

Thus, b 4 (x) is acquired. Moreover, it is denoted as 
b 4 (x) =b 4 3X3-i-b42X 2 +b4iX+b<io. Finally, selector 1 (3) stores the 
contents of Ureg in Yreg and Zreg (Fig. 19: only Yreg and 
Zreg are illustrated) . 



JA998-232 

Next, a 5 (x) =Q (x 7 +b 4 2 , a 4 ) is calculated. Since a 4 is an 
polynomial of degree 4, the third or lower terms of x 7 -fb 4 2 are 
not necessary for calculation of Q. As it is 

b 4 2 Ho 43 2 xHb 42 2 x 4 +b 4 i 2 x 2 +b 4 o 2 , only b 43 2 x 6 +b 42 2 x 4 +x 7 is used. Namely, 
to perform the following calculation, selector 2 (9) fetches 
necessary values from register group 1 and inputs them into 
multipliers and squaring operators 5. 
(1) piv = 1 [coefficient of x 7 ] 

Pis = b 4 3 2 [coefficient of x 6 ] 

Pis - 0 [coefficient of x 5 ] 

Pi4 = b42 2 [coefficient of x 4 ] 

Selector 1 (3) stores these calculation results in Ureg (Fig. 
20: only Ureg is illustrated) . 

Next, remainder calculation by a 4 is performed. More 
concretely, the following calculation is performed. 
Accordingly, selector 2 (9) fetches necessary values from 
register group 1 and inputs them into multipliers and 
squaring operators 5. 
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(2-1) 



P26 = Pl6+Pl7a 4 3 

= Pie+a 4 3 [coefficient of x 6 ] 

P25 = P15+P17342 

= a 42 [coefficient of x 5 ] 

P24 = Pl4+Pl7S41 

- Pi4+a 4 i [coefficient of x 4 ] 

Moreover, it becomes a53=Pi7 [coefficient of a third-order 
term of a 5 ] . 

Selector 1 (3) fetches pi?=l and stores it along with these 
calculation results in Ureg (Fig, 21: only Ureg is 
illustrated). Moreover, it will be a 5 (x) =a53X 3 -fa 5 2X 2 +a5iX+a 5 o. 

Remainder calculation by a 4 is further performed. More 
concretely, the following calculation is performed. 
Accordingly, selector 2 (9) fetches necessary values from 
register group 1 and inputs them into multipliers and 
squaring operators 5. 



(2-2) 
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P35 = P25+P2ea 4 3 [coefficient of x 5 ] 
P34 = P24+P26a 4 2 [coefficient of x 4 ] 

Moreover, it becomes a 5 2=P26 [coefficient of a second-order 
term of as] . 

Selector 1 (3) fetches pi? and p 2 e and stores them along with 
these calculation results in Ureg (Fig. 22: only Ureg is 
illustrated) . 

Remainder calculation by a 4 is further performed. More 
concretely, the following calculation is performed. 
Accordingly, selector 2 (9) fetches necessary values from 
register group 1 and inputs them into multipliers and 
squaring operators 5. 



aso = P34+P35a 4 3 [constant term of a 5 ] 

Moreover, it becomes a5i=P35 [coefficient of a first-order 
term of as] • 

Selector 1 (3) fetches pn, P26 and p 3 s and stores them along 



(2-3) 
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with these calculation results in Ureg (Fig. 23; only Ureg 
is illustrated) . Thus, a 5 is calculated. 

In the process of (3), selector 1 (3) stores a 5 (x) stored in 
Ureg into Xreg (Fig. 24: only Xreg is illustrated). 

Next, b 5 (x)=(b 4 +l) mod a 5 (x) is calculated. b 4 is stored in 
Yreg and Zreg. First, as a process of (4), selector 1 (3) 
stores b 43 , b 42 , b 4 i and b 40 +l in Ureg (Fig. 25: only Ureg is 
illustrated) . 

Next, remainder calculation by a 5 is performed^ The required 
calculation is described in detail as follows. Accordingly, 
selector 2 (9) fetches necessary values from register group 1 
and inputs them into multipliers and squaring operators 5. 
(5) b 5 2 = b 42 +b 4 3a 5 2 [coefficient of a second-order term of 
b 5 ] 

bsi ~ b 4 i+b 4 3a 5 i [coefficient of a first-order term of b 5 ] 
b 5 o = b 4 o+b43a 5 o [coefficient of a 0-th-order term of b 5 ] 
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It is represented as b 5 (x) =b 5 2X 2 +b 5 ix+b5o. 



Selector 1 (3) 



stores these calculation results in Zreg (Fig. 26: only Ureg 
is illustrated) . Accordingly, a 5 and b 5 are stored in Xreg 
and Zreg. Moreover, as solution, a'=a 5 , b ,= =b 5 . 

Operation of the circuit in Fig. 1 in implementing the 
algorithm of the present invention (doubling arithmetic) is 
explained. The initial state in Fig. 2 is not so different 
in the case of doubling arithmetic. However, registers a 2 
and b 2 become empty. 

First, in order to calculate q (x) =Q (b 3 , ai) , b 3 (x) =bi 2 +x (ai^x 3 ) 2 
is calculated. However, since ai is a polynomial of degree 3 
expression, only third-order or higher terms of b 3 (x) need to 
be calculated. It is as follows if described further in 
detail. Selector 2 (9) fetches necessary values from 
register group 1 and inputs them into multipliers and 
squaring operators 5. 
(1) b 35 c 2 2 [coefficient of x 5 ] 
b 34 = d2 2 [coefficient of x 4 ] 
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b 3 3 = Ci 2 [coefficient of x 3 ] 

Selector 1 (3) stores these calculation results in Ureg (Fig* 
27: only Ureg is illustrated) . 

Moreover, it is as follows. 

b 2 1 +x(ai-x 3 ) 2 - 
c 2 2 x 5 -hd2 2 x 4 +Ci 2 x 3 +di 2 x 2 +Co 2 x+do 2 

= b35X 5 +b 3 4X 4 -fb33X 3 +b32X 2 +b 3 lX+b30 

Next, Q(b 3 ,ai) is calculated. It is as follows if described 
further in detail. Selector 2 (9) fetches necessary values 
from register group 1 and inputs them into multipliers and 
squaring operators 5. 
(2-1) 

Pi4 = b 3 4+b 3 5C 2 [coefficient of x 4 ] 
P13 = b 33 +b 35 Ci [coefficient of x 3 ] 
P12 = b 35 c 0 [coefficient of x 2 ] 

Moreover, it is q2=b 3 5. It is represented as q(x)=q 2 x 2 +qix+q 0 . 
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Selector 1 (3) fetches b 3 5 from register group 1 and stores 
them along with these calculation results in Ureg (Fig. 28: 
only Ureg is illustrated) . 

Likewise, remainder calculation by ai is performed. It is as 
follows if described further in detail. Selector 2 (9) 
fetches necessary values from register group 1 and inputs 
them into multipliers and squaring operators 5. 



P23 = P13+P14C2 [coefficient of x 3 ] 
(P22 = P12+P14C1 [coefficient of x 2 ] ) 

Moreover, it is qi=pi 4 . Also, q 0 =P23- 

Selector 1 (3) fetches q 2 and p u from register group 1 and 
stores them along with these calculation results in Ureg 
(Fig. 29: only Ureg is illustrated) . 

Moreover, to simultaneously acquire an inversion of c 2 2 , 
selector 2 (9) receives c 2 2 from squaring operators 5 and 



(2-2) 
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inputs them into inverter 7. Here, it is q~=l/c 2 2 . 

As it is necessary to render a 4 (x) =q 2 (x) +x monic, the 
following calculation is performed. Selector 2 (9) fetches 
necessary values from register group 1 and inverter 7 and 
inputs them into multipliers and squaring operators 5. 
(3) a 4 3 = 0 [coefficient of x 3 ] 

a 42 = qi 2 q -2 [coefficient of x 2 ] 

a 4 i = lq" 2 [coefficient of x] 

a 40 = qo 2 q -2 [coefficient of x°] 

Selector 1 (3) stores these calculation results in Xreg (Fig. 
30: only Xreg is illustrated) . Moreover, since it is a 44 =l 
[coefficient of x 4 ] , it is not necessary to consciously store 
it. It is represented as a 4 (x) =x 4 +a 4 3X 3 +a 4 2X 2 +a4iX+a 4 o . 

Next, b4=(b3+l) mod a 4 is calculated. Since a 4 is a 
polynomial of degree 4, calculation results are the same if 
the third or lower terms of (b 3 +l) are added after remainder 
calculation. Considering limitation of the number of Ureg's 
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locations and the number of multipliers, the following 
calculation is performed. Moreover, selector 2 (9) fetches 
necessary values from register group 1 and inputs them into 
multipliers and squaring operators 5. 

(4) b 35 = c 2 2 [coefficient of x 5 ] 
b 34 = d 2 2 [coefficient of x 4 ] 
b 3 3 = Ci 2 [coefficient of x 3 ] 
b 3 2 = di 2 [coefficient of x 2 ] 

Selector 1 (3) 'stores these calculation results in Ureg (Fig. 
31: only Ureg is illustrated). 

And remainder calculation by a 4 is performed. However, a 
first-order term of b 3 is added. The following calculation 
is performed if described further in detail. Selector 2 (9) 
fetches necessary values from register group 1 and inputs 
them into multipliers and squaring operators 5. 

(5) pi4 = b 3 4+b 3 Ga 4 3 

= b 34 [coefficient of x 4 ] 
Px 3 = b 33 +b 35 a 4 2 [coefficient of x 3 ] 
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P12 - b 32 +b 35 a 4 i [coefficient of x 2 ] 
Pn = b 35 a 4 o+Co 2 [coefficient of x 1 ] 

Selector 1 (3) stores these calculation results in Ureg (Fig. 
32: only Ureg is illustrated). 

Remainder calculation by a 4 is further performed. However, a 
constant term of b 3 and 1 are added. The following 
calculation is performed if described further in detail. 
Selector 2 (9) fetches necessary values from register group 1 
and inputs them into multipliers and squaring operators 5. 
(6) p 23 = Pi3+Pi4a 43 [coefficient of x 3 ] 

P22 = Pi2+pi4a 4 2 [coefficient of x 2 ] 

P21 = Pn+Pi4a 4 i [coefficient of x 1 ] 

P20 = Pi4a 4 o+d 0 2 +l [coefficient of x°] 

Selector 1 (3) stores these calculation results in Yreg and 
Zreg (Fig. 33: only Yreg and Zreg are illustrated) . Thus, 
b 4 (x) is acquired. 
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Calculation hereafter is the same as ordinary additions. 

The above is illustrated as a processing flow as in Fig. 34. 
First, ai(x), bi(x), a 2 (x) and b 2 are input (step 100). In 
the case of doubling arithmetic, only ai(x) and bi(x) are 
input. Next, the process is switched depending on whether it 
is an ordinary addition or doubling arithmetic (step 110) . 
In the case of doubling arithmetic, q~=l/c 2 2 is calculated 
(step 120). Also, q(x)=Q(b 3 ,ai) is stored in Ureg (step 130). 
In a circuit as in Fig. 1, steps 120 and 130 are 
simultaneously performed. And then, a 4 (x) =q~ 2 (Ureg 2 +x) 

rendered monic is calculated and stored in Xreg (step 140) . 
On the other hand, if it is determined as an ordinary 
addition in step 110, a greatest common polynomial of ai and 
a 2 is calculated. If the greatest common polynomial is not 
1, it is not handled by the present invention . And Si which 
is Si (x) ai (x) +s 2 (x) a 2 (x) =1 is calculated and stored in Yreg 
(step 150). Next, q (x) =si (bi+b 2 ) mod a2 is calculated and 
stored in Zreg (step 160) . And q~~ ==l/q 2 2 is calculated (step 
170). Also, Q (q 2 ai, a 2 ) +x+c 2 +e 2 is calculated and stored in 
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Ureg (step 180) . Steps 170 and 180 are simultaneously 
performed in a circuit in Fig. 1. And then, a 4 (x) =q~~Ureg 
rendered monic is calculated and stored in Xreg (step 190). 

The following process is in common with an ordinary addition 
and doubling arithmetic. b 4 (x) = (b 3 +l) mod a 4 is calculated 
and stored in Yreg and Zreg (step 200). However, the 
definition of b 3 is different depending on whether it is an 
ordinary addition or doubling arithmetic. And 
a 5 (x) =Q (x 7 +b 2 2 , a 4 ) is calculated and stored in Xreg (step 210). 
Finally, b 5 (x) = (b 4 +l) mod a 5 is calculated and stored in Zreg 
(step 220) . 

A process as in Fig. 34 can be implemented in a computer 
program for an ordinary computer (Fig. 35 for instance) . 
However, there is a limit to improvement of processing speed 
since squaring cannot be performed at high speed by an 
ordinary computer. 

Moreover, it is possible to construct an encryptor, a decoder 
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or an encryption system including them by implementing an 
apparatus and a program which execute such an algorithm of 
the present invention. 

{Advantages of the Invention] 

Operation in Jacobian could successfully be implemented with 
improved computation complexity. 

It was also made possible to implement operation in Jacobian 
with improved hardware size* 

[Evaluation of Computation Complexity] 

The number of execution of multiplication of the algorithm 
(ordinary addition and doubling arithmetic) of the present 
invention is evaluated. It is defined that hereafter m means 
one multiplier performing multiplication once, and M means 
multiple multipliers simultaneously performing multiplication 
once. Namely, m is used to represent frequency of 
multiplication and M represents frequency of multiplier group 
being executed. Also, I means computing once for the 
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multiplicative inverse. Hereafter, I, M and m are used to 
represent computation complexity. For instance, I+2m 

represents that computing once for the multiplicative inverse 
and multiplying twice. The following Table 1 and Table 2 
summarize computation complexity of an addition and doubling 



arithmetic. 
[Table 1] 



Calculation 


Computation 
complexity 


Call 
frequency 


Time 


GCD 


3l+23m 


3I+9M 


3t (I)+9t (M) 


q(x) 


15m 


4M 


4t (M) 


a 4 (x) 


I+20m 


I + 6M 


t(I)+t(M) 


b 4 (x) 


17m 


5M 


5t (M) 


a 5 (x) ,b 5 (x) 


6m 


3M 


3t (M) 


Total 


4I+81m 


4I+27M 


4t (I)+22t (M) 



[Table 2] 



Calculation 


Computation 
complexity 


Call 
frequency 


Time 


q(x) 


3m 


2M 


0 


a 4 (x) 


I+2m 


I+M 


t ( I ) +t (M) 


b,(x) 


8m 


2M 


2t (M) 


a 5 (x) ,b 5 (x) 


6m 


3M 


3t (M) 


Total 


I+19m 


I+8M 


t ( I ) +6t (M) 
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Moreover, in Table 1 and Table 2, t(I) represents the time 
for computing, the. multiplicative inverse and t(M) represents 
the time for computing multiplication. Also, 2 n 

multiplication . is disregarded as executable in one clock 
cycle . 

In Table 1 (addition), it is assumed to be t(I)>5t(M).. This 
makes it possible, while computing a^(x), to simultaneously 
compute the multiplicative inverse for rendering a 4 (x) monic. 
Furthermore, in Table 2 (doubling arithmetic), it is assumed 

to be t(I) > 2t (M) . This makes it possible to concurrently 
compute q(x) and compute the multiplicative inverse for 
rendering a*(x) monic. 

t(I)=8t(M) holds on GF( 2 59 ) by the method described in "A Fast 
Algorithm for Computing Multiplicative Inverse in GF(2m) 
Using Normal Bases," T. Itoh, S. Tsujii, Inform, and Comput . , 
vol.83, No.l, pp. 171-177, .(1989) (hereafter referred to as 
the Itoh- Tsujii method), and if this is used for Table 1 and 
Table 2, computation complexity is 113m and time is 54t(M) in. 
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the case of an ordinary addition. And computation complexity 
is 27m and time is 14t(M) in the case of doubling arithmetic. 
On the other hand, the results obtained from "Construction 
and Implementation of a Secure Hyperelliptic Curve. 
Cryptosystems, " Yasuyuki Sakai, Yuichi Ishizuka and Kouichi 
Sakurai, SCIS ' 98-10. 1 .B, Jan., 1998 (hereafter referred to 
Reference 1) is as shown in Table 3. 



[Table 3] 





Addition 


Doubling arithmetic 


Multiplica- 
tion 


Multiplica- 
tive 
inverse 
computation 


Multiplica- 
tion 


Multiplica- 
tive 
inverse 
computation 


g=0 


3 


1 


3 


1 


g=3 


4 01 


0 


265 


0 


g=ll 


17477 


0 


10437 


0 



If Table 3 is compared with Table 1 and Table 2, the 
algorithm of the present invention is 3.5 times better in 
computation complexity and 7 times better in time in the case 
of an ordinary addition, and 10 times better in computation 
complexity and 19 times better in time in the case of 
doubling arithmetic. Also, efficiency of seven multipliers 
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is 0.572 in the case of ordinary additions, and 0,45 in the 
case of doubling arithmetic. Accordingly, in the algorithm 
of the present invention, calculation is performed more 
efficiently and there is a higher degree of parallelism, 
compared with conventional techniques. 

[Evaluation of Processing Performance] 

Table 4 shows calculation of time necessary for integer 
multiplication of 160 bits or so based on Tables 1 and 2. 
Moreover, it is assumed that doubling arithmetic is performed 
160 times and additions 80 times. 



[Table 4] 



Operating 
frequency 


Clock required for multiplying once 


Case A 
t (M)=59clock 


Case B 
t (M)=8clock 


Case C 
t (M)=lclock 


20MHz 


19.35ms 


2. 624ms 


0. 328ms 


40MHz 


9. 68ms 


1.312ms 


0.164ms 


80MHz 


4 . 84ms 


0 . 656ms 


0. 082ms 



On the other hand, in the implementation by software of 
Reference 1, Alpha 21164 (250MHz) (Alpha is a trademark of 
Digital Equipment Corp.) was used and processing time 
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required was 500jis for an addition, 50jis for doubling 
arithmetic and 118ms for integer multiplication of 160 bits. 
Compared with this result, hardware implementation of the 
algorithm of the present invention performs processing, at 
operating frequency of 20MHz, 5 times faster in Case A, 50 
times faster in Case B, and 360 times faster in Case C. 
Considering that the ratio of processing time for calculation 
by dedicated hardware to calculation by a general MPU with 
about 10 times different operating frequency in the RSA 
cipher is 5 times or so, it can be said that a hyperelliptic 
curve cryptosystems and the algorithm of the present 
invention are fairly suited for hardware implementation. 

In addition, as regards the 160-bit-key elliptic curve 
cryptosystem which is considered equal in security, it is 
reported that it takes time of maximum 3,6ms to sign at 
operating frequency of 20MHz according to Technical Bulletin, 
NIKKEI ELECTRONICS, 3/23/1998, (No. 712) pp.23, and also that 
it takes average processing time of 60ms for 27K-gate 
hardware at operating frequency of 20MHz according to 
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"Prototyping Hyperelliptic Curve Cryptosystem Chip," Naoya 
Torii, Souichi Okada, Takayuki Hasebe, Singaku Society Univ., 
A-7-1, Oct., 1998. Compared with these, the proposed 
algorithm performs processing equally or several times 
faster. 

Here, an elliptic curve cryptosystem (g=l) and a 

hyperelliptic curve cryptosystem (an arbitrary g which is g > 
1) are compared as to processing performance and power 
consumption. Calculation of a hyperelliptic curve 

cryptosystem is complicated compared with an elliptic curve 
cryptosystem. However, Galois field of approximately 1/g can 
be used. Generally, if a descriptor is GF(2 n ), hardware 
volume of a multiplier as well as power consumption is in 
proportion to the square of n, and calculation speed is in 
proportion to l/{ 1- (log n g) } . Accordingly, the dependence of 
a multiplier's performance on genus is 

g 4 { l+log n g+ ( log n g) 2 -K • . } . On the other hand, increase in 
computation complexity is in proportion to g 3 . Thus, 
asymptotically, a hyperelliptic curve cryptosystem is more 
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advantageous by g{ l + log a g+ . . . } . Also, from the viewpoint of 
hardware implementation, it is an advantage that a 
hyperelliptic curve cryptosystem can implement g-times 
parallelism. 

[Evaluation in the case of Mapping to a Gate Array] 
In the above explanation, t(M) and the number of 
multiplication were used for evaluation. To know maximum 
operating frequency, circuit design must be concretely 
performed and mapping must be performed to semiconductor 
technology. So, as to Case B of Table 4 where a multiplier 
calculates with 8-clock, a case where it was designed by 
using VHDL (IEEE std 107 6-198 7) and mapped to CMOS gate array 
technology (IBM CMOS 5SE) of effective channel length 

Lef f=0 . 27j4m was evaluated. Consequently, the results of 

maximum delay between registers of 12ns (corresponding to 

maximum operating frequency of 83MHz) and hardware size of 

approximately 140K cells were obtained. Each block size is 
indicated in Table 5. 
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[Table 5] 



Block in 
Fig. 1 


Size (cells) 




Multiplier 


34265 cells 


7 multipliers 


Squaring 


1344 cells 


3 squaring 
operators 


Inverter 


27414 cells 




Register 
group 


18408 cells 




Controller 


9749 cells 


26 59-bit 
registers 
(including 12 
coefficients) 


Selector 1 


37140 cells 




Selector 2 


17402 cells 




Total 


145722 cells 





Moreover, the total number of 140K cells was implemented by 
optimizing timing of the total circuit after connecting each 
block to reduce approximately 5K cells. These operating 
frequency and size are sufficiently practical numbers 
compared with encrypted VLSI such as the RSA. Moreover, as a 
primitive polynomial of GF(2 59 ), p (x) =x 59 4-x 6 -hx 5 +x 4 +x 3 +x+l was 
used. The reason is that optimal normal bases (among normal 
bases of GF(2 n ), those which can represent a multiplication 
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result of 1 bit as a sum of 2n-l terms) do not exist in 
GF( 2 59 ), and a cyclotomic field only exists in an 
even-numbered extension field when a base field is GF(2) . 
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